DOCSLIB.ORG

On the Weaknesses of PBKDF2 ⋆

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

On the weaknesses of PBKDF2 ? Andrea Visconti??, Simone Bossi, Hany Ragab, and Alexandro Calò Cryptography and Coding Laboratory (CLUB), Department of Computer Science, Università degli Studi di Milano http://www.club.di.unimi.it/ [email protected] {simone.bossi2,hany.ragab,alexandro.calo}@studenti.unimi.it Abstract. Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a crypto- graphic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [19], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [7], [13], [6]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance im- provements described in the implementation note of RFC 2104 [15] and FIPS 198-1 [16], an attacker is able to avoid 50% of PBKDF2's CPU in- tensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are sub- ject to this vulnerability. In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time. Keywords: Key derivation function (KDF), HMAC-SHA1, PKCS#5, optimizations, CPU-intensive operations 1 Introduction Passwords are widely used to protect secret data or to gain access to specic resources. For sake of security, they should be strong enough ? A shorter version of this paper appeared in the Proceedings of the 14th International Conference on Cryptology and Network Security (CANS 2015), Springer Interna- DRAFTtional Publishing, LNCS 9476. ?? Corresponding author: [email protected] to prevent well-know attacks such as dictionary and brute force at- tacks. Unfortunately, user-chosen passwords are generally short and lack enough entropy [11], [21], [18]. For these reasons, they cannot be directly used as a key to implement secure cryptographic sys- tems. A possible solution to this issue is to adopt a key derivation function (KDF), that is a function which takes a source of initial keying material and derives from it one or more pseudorandom keys. Such a key material can be the output of a pseudo-random number generator, a bit sequence obtained by a statistical sampler, a shared Die-Hellman value, a user-chosen password, or any bit sequence from a source of more or less entropy [14]. KDF that input user passwords are known as password-based KDF. Such functions are of particular interest in cryptography because they introduce CPU- intensive operations on the attacker side, increasing the cost of an exhaustive search. By applying a KDF to a user password, we allow legitimate users to spend a moderate amount of time on key deriva- tion, while increase the time an attacker takes to test each possible password. The approach based on KDF not only slows down a brute force attack as much as possible but also allows to increase the size of a cryptographic key. In PKCS#5 [19], RSA Laboratories provides a number of recom- mendations for the implementation of password-based cryptography. In particular, they described Password-Based Key Derivation Func- tion version 2 (PBKDF2), a function widely used to derive keys and implemented in many security-related systems. For example, PBKDF2 is involved in Android's full disk encryption (since version 3.0 Honeycomb to 4.3 Jelly Bean) 1, in WPA/WPA2 encryption process [13], in LUKS[12][7], EncFS [2], FileVault Mac OS X [6], [8], GRUB2 [3], Winrar [5], and many others. In order to slow down the attackers, PBKDF2 uses a salt to pre- vent building universal dictionaries, and an iteration count which species the number of times the underlying pseudorandom function is called to generate a block of keying material. The number of it- erations is a crucial point of the KDF. The choice of a reasonable value for the iteration count depends on the environment and can 1DRAFTAt the time of writing this represents 58% of the Android devices market share (see developer.android.com). vary from an application to another. In SP 800-132 [17], Turan et al. suggests that it is a good practice to select the iteration count as large as possible, as long the time required to generate the key is acceptable for the user. Moreover, they specify that for very critical keys on very powerful system an iteration count of 10,000,000 may be appropriate, while a minimum of 1,000 iterations is recommended for general purpose. PBKDF2 introduce CPU-intensive operations based on an it- erated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [15] and FIPS 198-1 [16], an attacker is able avoid 50% of PBKDF2's CPU inten- sive operations, by replacing them with precomputed values. Readers note that a number of well-known and widely-used crypto libraries e.g.,[4,1], are subject to this vulnerability, therefore an attacker is able to derive keys signicantly faster than a regular user can do. Moreover, we present some other minor optimizations (based on the hash function used) that can be exploited by an attacker to reduce even more the key derivation time. The remainder of the paper is organized as follows. In Section 2, we present Password Based Key Derivation Function version 2 (PBKDF2). In Section 3 we briey describe HMAC, that is the pseu- dorandom function adopted in PBKDF2. In Section 4 we present the weaknesses of PBKDF2. Finally, discussion and conclusions are drawn in Section 5. 2 PBKDF 2 Password Based Key Derivation Function version 2, PBKDF2 for short, is a key derivation function published by RSA Laboratories in PKCS #5 [19]. In order to face brute force attacks based on weak user passwords, PBKDF2 introduce CPU-intensive operations. Such operations are based on an iterated pseudorandom function (PRF) e.g. a hash function, cipher, or HMAC which maps input values toDRAFT a derived key. One of the most important properties to assure is that PBKDF2 is cycle free. If this is not so, a malicious user can avoid the CPU-intensive operations and get the derived key by executing a set of equivalent, but less onerous, instructions. Unlike its prede- cessor (PBKDF version 1) in which the length of the derived key is bounded by the length of the underlying PRF output, PBKDF2 can derive keys of arbitrary length. More precisely, PBKDF2 generates as many blocks Ti as needed to cover the desired key length. Each block Ti is computed iterating the PRF many times as specied by an iteration count. The length of such blocks is bounded by hLen, which is the length of the underlying PRF output. In the sequel by PRF we will refer to HMAC with the SHA-1 hash function, that is the default as per [19]. Note that HMAC can be used with any other iterated hash functions such as RIPEMD, SHA-256 or SHA-512. PBKDF2 inputs a user password/passphrase p, a random salt s, an iteration counter c, and derived key length dkLen. It outputs a derived key DK. DK = P BKDF 2(p; s; c; dkLen) (1) The derived key is dened as the concatenation of ddkLen=hLene- blocks: DK = T1jjT2jj ::: jjTddkLen=hLene (2) where T1 = F unction(p; s; c; 1) T2 = F unction(p; s; c; 2) . TddkLen=hLene = F unction(p; s; c; ddkLen=hLene): Each single block Ti i.e., Ti = F unction(p; s; c; i) is computed as Ti = U1 ⊕ U2 ⊕ ::: ⊕ Uc (3) where U1 = P RF (p; sjji) U2 = P RF (p; U1) . DRAFT. Uc = P RF (p; Uc−1) 3 HMAC Hash-based Message Authentication Code (HMAC) is an algorithm for computing a message authentication code based on a crypto- graphic hash function. The denition of HMAC [15] requires H : any cryptographic hash function; K : the secret key; text : the message to be authenticated. In this paper, we will focus on HMAC-SHA1 that is the default PRF for PBKDF2 [19]. As described in RFC 2104 [15], HMAC can be dened as follows: HMAC = H(K ⊕ opad; H(K ⊕ ipad; text)) (4) where H is the chosen hash function, K is the secret key, and ipad, opad are the constant values (respectively, the byte 0x36 and 0x5C repeated 64 times) XORed with the password. Equation 4 can be expanded in the form: h = H(K ⊕ ipad jj text) (5) HMAC = H(K ⊕ opad jj h) Using SHA1 as cryptographic hash function, equation 5 can be graph- ically represented as in Figure 1. DRAFTFig. 1. HMAC-SHA-1 4 Weaknesses In this section we present some weaknesses of PBKDF2. The major one concerns the precomputation of specic values that can be reused during the key derivation process. The others aim to avoid useless operations during the computation of the hash function. We will describe these weaknesses using as an example the pa- rameters dened by LUKS format [11][12] i.e., a salt length of 256 bits, and HMAC-SHA-1 as PRF. 4.1 Precomputing a message block Looking closely at Figure 2, note the following: rst message block of a keyed hash function is repeated c times (the green rectangles in Figure 2); rst message block of a second keyed hash function is repeated c times (the orange rectangles in Figure 2); all green rectangles have the same content and they can assume only the values SHA1(P ⊕ ipad); all orange rectangles rectangles have the same content and they can assume only the values SHA1(P ⊕ opad); Thus, it is possible to compute these two blocks in advance i.e., SHA1(P ⊕ ipad) and SHA-1(P ⊕ opad) 2 and then use such values for c times.
Recommended publications
  • Reconsidering the Security Bound of AES-GCM-SIV

    Reconsidering the Security Bound of AES-GCM-SIV

    Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata1 and Yannick Seurin2 1Nagoya University, Japan 2ANSSI, France March 7, 2018 — FSE 2018 T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 1 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T.
  • NSA Vs. Encryption Article Written by Datto Developer Dan Fuhry First Appeared on Mspmentor.Com in November 2013

    NSA Vs. Encryption Article Written by Datto Developer Dan Fuhry First Appeared on Mspmentor.Com in November 2013

    SuccessArticle: EncryptionStory NSA vs. Encryption Article written by Datto developer Dan Fuhry first appeared on MSPmentor.com in November 2013. If you’ve been watching the news lately, there is no doubt you have heard about the National Security Agency’s (NSA) surveillance scandal. “We will stand in our firm Recent months have seen a revelation of programs commitment to protect you and that capture domestic and international traffic indiscriminately. Encrypted data gets saved for a your customers.” certain number of years, in case they ever decide to decrypt it. If this alarms you, that’s good. You should be alarmed. I was too, on a very personal level, and have actively been working on changing some long-established habits in order to protect the information that is private and personal to me. For MSPs not in the United States you should be even more alarmed. It’s not even your own government that has the encrypted data, and since you don’t have constitutional protection in the U.S., there is nothing legally standing in the NSA’s way to prevent them from using their dark magical cryptographic powers to obtain your confidential business or personal data. This is a frightening proposition indeed, which is why I want to talk about the position Datto has taken regarding the recent revelations. Before we go any further, allow me to briefly describe my role here. I’m a developer with Datto, and I designed the encryption feature for Datto SIRIS. I picked the ciphers, hash algorithm parameters, and random number generator algorithm, had them peer-reviewed, and then wrote the code.
  • Analysis of Password Cracking Methods & Applications

    Analysis of Password Cracking Methods & Applications

    The University of Akron IdeaExchange@UAkron The Dr. Gary B. and Pamela S. Williams Honors Honors Research Projects College Spring 2015 Analysis of Password Cracking Methods & Applications John A. Chester The University Of Akron, [email protected] Please take a moment to share how this work helps you through this survey. Your feedback will be important as we plan further development of our repository. Follow this and additional works at: http://ideaexchange.uakron.edu/honors_research_projects Part of the Information Security Commons Recommended Citation Chester, John A., "Analysis of Password Cracking Methods & Applications" (2015). Honors Research Projects. 7. http://ideaexchange.uakron.edu/honors_research_projects/7 This Honors Research Project is brought to you for free and open access by The Dr. Gary B. and Pamela S. Williams Honors College at IdeaExchange@UAkron, the institutional repository of The nivU ersity of Akron in Akron, Ohio, USA. It has been accepted for inclusion in Honors Research Projects by an authorized administrator of IdeaExchange@UAkron. For more information, please contact [email protected], [email protected]. Analysis of Password Cracking Methods & Applications John A. Chester The University of Akron Abstract -- This project examines the nature of password cracking and modern applications. Several applications for different platforms are studied. Different methods of cracking are explained, including dictionary attack, brute force, and rainbow tables. Password cracking across different mediums is examined. Hashing and how it affects password cracking is discussed. An implementation of two hash-based password cracking algorithms is developed, along with experimental results of their efficiency. I. Introduction Password cracking is the process of either guessing or recovering a password from stored locations or from a data transmission system [1].
  • A Password-Based Key Derivation Algorithm Using the KBRP Method

    A Password-Based Key Derivation Algorithm Using the KBRP Method

    American Journal of Applied Sciences 5 (7): 777-782, 2008 ISSN 1546-9239 © 2008 Science Publications A Password-Based Key Derivation Algorithm Using the KBRP Method 1Shakir M. Hussain and 2Hussein Al-Bahadili 1Faculty of CSIT, Applied Science University, P.O. Box 22, Amman 11931, Jordan 2Faculty of Information Systems and Technology, Arab Academy for Banking and Financial Sciences, P.O. Box 13190, Amman 11942, Jordan Abstract: This study presents a new efficient password-based strong key derivation algorithm using the key based random permutation the KBRP method. The algorithm consists of five steps, the first three steps are similar to those formed the KBRP method. The last two steps are added to derive a key and to ensure that the derived key has all the characteristics of a strong key. In order to demonstrate the efficiency of the algorithm, a number of keys are derived using various passwords of different content and length. The features of the derived keys show a good agreement with all characteristics of strong keys. In addition, they are compared with features of keys generated using the WLAN strong key generator v2.2 by Warewolf Labs. Key words: Key derivation, key generation, strong key, random permutation, Key Based Random Permutation (KBRP), key authentication, password authentication, key exchange INTRODUCTION • The key size must be long enough so that it can not Key derivation is the process of generating one or be easily broken more keys for cryptography and authentication, where a • The key should have the highest possible entropy key is a sequence of characters that controls the process (close to unity) [1,2] of a cryptographic or authentication algorithm .
  • BLAKE2: Simpler, Smaller, Fast As MD5

    BLAKE2: Simpler, Smaller, Fast As MD5

    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms

    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms

    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
  • Security Policy: Informacast Java Crypto Library

    Security Policy: Informacast Java Crypto Library

    FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library FIPS 140-2 Non-Proprietary Security Policy InformaCast Java Crypto Library Software Version 3.0 Document Version 1.2 June 26, 2017 Prepared For: Prepared By: Singlewire Software SafeLogic Inc. 1002 Deming Way 530 Lytton Ave, Suite 200 Madison, WI 53717 Palo Alto, CA 94301 www.singlewire.com www.safelogic.com Document Version 1.2 © Singlewire Software Page 1 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for InformaCast Java Crypto Library. Document Version 1.2 © Singlewire Software Page 2 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Table of Contents 1 Introduction .................................................................................................................................................. 5 1.1 About FIPS 140 ............................................................................................................................................. 5 1.2 About this Document.................................................................................................................................... 5 1.3 External Resources ....................................................................................................................................... 5 1.4 Notices .........................................................................................................................................................
  • Key Derivation Functions and Their GPU Implementation

    Key Derivation Functions and Their GPU Implementation

    MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS Key derivation functions and their GPU implementation BACHELOR’S THESIS Ondrej Mosnáˇcek Brno, Spring 2015 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-nc-sa/4.0/ cbna ii Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáˇcek Advisor: Ing. Milan Brož iii Acknowledgement I would like to thank my supervisor for his guidance and support, and also for his extensive contributions to the Cryptsetup open- source project. Next, I would like to thank my family for their support and pa- tience and also to my friends who were falling behind schedule just like me and thus helped me not to panic. Last but not least, access to computing and storage facilities owned by parties and projects contributing to the National Grid In- frastructure MetaCentrum, provided under the programme “Projects of Large Infrastructure for Research, Development, and Innovations” (LM2010005), is also greatly appreciated. v Abstract Key derivation functions are a key element of many cryptographic applications. Password-based key derivation functions are designed specifically to derive cryptographic keys from low-entropy sources (such as passwords or passphrases) and to counter brute-force and dictionary attacks. However, the most widely adopted standard for password-based key derivation, PBKDF2, as implemented in most applications, is highly susceptible to attacks using Graphics Process- ing Units (GPUs).
  • Thread Commissioning White Paper

    Thread Commissioning White Paper

    July 13, 2015 This Thread Technical white paper is provided for reference purposes only. The full technical specification is available to Thread Group Members. To join and gain access, please follow this link: http://threadgroup.org/Join.aspx. If you are already a member, the full specification is available in the Thread Group Portal: http://portal.threadgroup.org. If there are questions or comments on these technical papers, please send them to [email protected]. This document and the information contained herein is provided on an “AS IS” basis and THE THREAD GROUP DISCLAIMS ALL WARRANTIES EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO (A) ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OF THIRD PARTIES (INCLUDING WITHOUT LIMITATION ANY INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENT, COPYRIGHT OR TRADEMARK RIGHTS) OR (B) ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NONINFRINGEMENT. IN NO EVENT WILL THE THREAD GROUP BE LIABLE FOR ANY LOSS OF PROFITS, LOSS OF BUSINESS, LOSS OF USE OF DATA, INTERRUPTION OF BUSINESS, OR FOR ANY OTHER DIRECT, INDIRECT, SPECIAL OR EXEMPLARY, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND, IN CONTRACT OR IN TORT, IN CONNECTION WITH THIS DOCUMENT OR THE INFORMATION CONTAINED HEREIN, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. Copyright 2015 Thread Group, Inc. All rights reserved. Thread Commissioning July 2015 Revision History Revision Date Comments 1.0 January 29, 2015 Initial Release 2.0 July 13, 2015 Public Release 1 Contents Introduction ................................................................................ 2 Terminology ................................................................................ 2 System Topology ............................................................................... 4 Degrees of Separation ..........................................................................................
  • Harden Zero Knowledge Password Proofs Against Offline Dictionary

    Harden Zero Knowledge Password Proofs Against Offline Dictionary

    Harden Zero Knowledge Password Proofs Against Offline Dictionary Attacks Gijs Van Laer Rono Dasgupta Aditya Patil [email protected] [email protected] [email protected] Matthew Green [email protected] December 12, 2016 Abstract Traditional authentication systems offer ease of use but the security they provide often proves to be inadequate. Hackers use means to gain access to company servers and steal entire databases of password hashes. These hashes are then subject to offline dictionary attacks resulting in the disclosure of millions of passwords. Such password breaches have become commonplace and have caused several major companies to face major losses. Password reuse is a common practice among users and a password breach disclosing a single password on a particular service could result in a user also losing access to their other accounts. Solutions such as multi-factor authentication add some level of security but do not completely solve the problem. There is a need to move towards stronger authentication schemes that do not compromise on ease of use, both for the user and the service provider. In this paper, we propose a novel authentication protocol that is proven hard against offline dictionary attacks. Our protocol implements a combination of a Zero Knowledge Password Proof and a sequentially memory hard hash function. In a concrete instan- tiation of the protocol, we use Schnorr's Zero Knowledge Password Proof combined with the Fiat-Shamir Heuristic for the Zero Knowledge Password Proof and scrypt for the sequentially memory hard hash function. We also describe a library implementing our protocol that we have developed along with an example web application that uses the library.
  • II-2.03 Encryption Policy

    II-2.03 Encryption Policy

    II-2.03 Encryption Policy The Universities at Shady Grove Effective Date: 5/01/2019 Policy Type: IT Security Policy Section II: Data Security PUBLIC Page 1 of 4 The Universities at Shady Grove is hereinafter referred to as "USG" and the Office of Information Technology as “OIT.” 1.0 Purpose The purpose of this policy is to outline USG's standards for use of encryption technology in order to properly secure and manage appropriately its data assets. There are additional USG security policies that reference the types of data that require encryption. This policy does not cover what types of data must be encrypted, but rather how encryption is to be implemented and controlled. 2.0 Scope The scope of this policy covers all data stored on or transmitted across USG-owned, USG- managed, and USG-leased systems, devices, media, and networks. This policy also applies to all USG hired personnel, contractors, and third-party services. 3.0 Policy 3.1 Encryption Minimum Standards USG requires the use of all encryption algorithms and standards to, at a minimum, comply with the following: • NIST Special Publication 800-175B (“Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms”), • Federal Information Processing Standards (FIPS) Publication 140-2 (“Security Requirements for Cryptographic Modules”), • Or any other superseding publication, regulation, or USM/State of Maryland policy The use of proprietary encryption is expressly forbidden since it has not been subjected to public inspection and its security cannot
  • The Summation-Truncation Hybrid: Reusing Discarded Bits for Free

    The Summation-Truncation Hybrid: Reusing Discarded Bits for Free

    The Summation-Truncation Hybrid: Reusing Discarded Bits for Free Aldo Gunsing and Bart Mennink Digital Security Group, Radboud University, Nijmegen, The Netherlands [email protected], [email protected] Abstract. A well-established PRP-to-PRF conversion design is trun- cation: one evaluates an n-bit pseudorandom permutation on a certain input, and truncates the result to a bits. The construction is known to achieve tight 2n−a=2 security. Truncation has gained popularity due to its appearance in the GCM-SIV key derivation function (ACM CCS 2015). This key derivation function makes four evaluations of AES, truncates the outputs to n=2 bits, and concatenates these to get a 2n-bit subkey. In this work, we demonstrate that truncation is wasteful. In more detail, we present the Summation-Truncation Hybrid (STH). At a high level, the construction consists of two parallel evaluations of truncation, where the truncated (n − a)-bit chunks are not discarded but rather summed together and appended to the output. We prove that STH achieves a similar security level as truncation, and thus that the n − a bits of extra output is rendered for free. In the application of GCM-SIV, the current key derivation can be used to output 3n bits of random material, or it can be reduced to three primitive evaluations. Both changes come with no security loss. Keywords: PRP-to-PRF, Truncation, Sum of permutations, Efficiency, GCM-SIV 1 Introduction The vast majority of symmetric cryptographic schemes is built upon a pseu- dorandom permutation, such as AES [21]. Such a function gets as input a key and bijectively transforms its input to an output such that the function is hard to distinguish from random if an attacker has no knowledge about the key.